Information from Windows Registry

Question :
How easy is it for any Windows application to retrieve the MuiCache from the Windows Registry?

What I see in my registry (key: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache) is an interesting list of applications that have been started recently.

And of course, our favourite Honorbuddy is in there as well.
In my case, I see the following entries in the Registry:

Name Type Data
X:\HB\Honorbuddy.exe.ApplicationCompany REG_SZ Bossland GmbH
X:\HB\Honorbuddy.exe.FriendlyAppName REG_SZ Honorbuddy


Wouldn't a simple scan on that MuiCache by WOW.EXE be enough to immediately put a nice mark behind your account name, for closer inspection, when a "friendly" GM is up to it?
It could even be reason to an instant permanent BAN, if you'd ask me .. The terms of use fully support that.

 

Hasn't this been answered before wow doesn't scan outside of it's process so it doesn't actually scan any other application.

 

The Windows registry is a centralised database and not directly related to any "application".
Hence my question : how easy it is for an executable in Windows to read out the Registry and in particular the MuiCache.

 

From what I was told by many ppl and I did some research on the internet, WoW client can't (is not allowed by law) to scan outside wow.exe. In other words if you use classic cheats that are injected into the wow.exe they can and WILL be
detected, since HB is not one of those it shouldn't be detectable. Blizzard was sued once already and lost quite a lot of money on that law suit.

Also I can't be sure about this due to recent change in ToS where they added aditional "checkbox" telling that they are able to scan our PCs. But I think we would hear about this far sooner if it's actually true.

 

I'm not a Windows developer, but what triggered me to post this question, is that a Windows dev told me that the Windows API provides access to the Registry.
This is how, he explained, applications "nest" itself within the Windows environment.

And applications are able to read out certain keys from this Registry.
This has nothing to do with this particular program scanning the PC's memory or any shady action "outside" it's own memory.

Unfortunately, I didn't think of asking him how easy it would be for any Windows application to read those key-entries from the Registry.

Hence my question on this forum - I'm sure there are Windows developers online - one of the HB devs perhaps?

 

I'm no expert in C++ (WoW's language) but I do know how easy it is for a program to read from the registry. It's pretty much 10 lines of code to read a certain part of the registry. If anyone plays Arma II, then you will know about keystealers. All a keystealer does is read from a certain registry entry and then send it to a form/send an email.

A solution to this is to use Sandboxie, although I'm not sure if it works with World of Warcraft.

I hope I helped. ^^

 

Just ask any prepared enough developer to check what the wow executables write/read in the win registries.

I could assume, if wow.exe was reading registry entries outside of their allowed scope, they would be revealed->catched->sued fast enough.

There was something similar a year ago, with the Blizzard side, checking the browser cookies for hacking sites like ownedcore, honorbuddy, etc.

 

Good post, not much more to say.

 

Also if they were able to scan I would be banned and not farming right now ^^

 

Q: how easy it is?
A: About 10 Lines of C# Code, and about 25 Lines in VC++

Q: possible?
A: yes (since wow runs with admin permissions)

Q: do the use it
A: obivoisly NO (law suit, no scanning outside own process, blabbalba, the won't risk it)

Q: ToU, EULA, Stuff Thingy says they are allowd
A: "Law" is greater than "ToU"-Stuff, they can write whatever they want, but are not allowed to use it when law says no. (would you be allowed to kill a guy if he tolds you so? => NO)

Q: proof?
A: use one of the several Programs that monitor filesystem/registry access or use windows performance monitor (in taskmgr) and see for yourself

 

Nice response people, thank you so much for that.
Always good to see a discussion being going on, without people starting to "shout" by using a million exclamation marks and/or huge fonts in bold


Indeed, WOW.EXE does access the Registry, that's very obvious, looking at the Resource Monitor in Windows.
Exactly _what_ it's doing with that Registry, I can't determine.


I'm not convinced about some of you writing that it would be "illegal" to access certain parts of the Registry.
Windows provides an API that makes it possible to read the Registry.
Anything in there that's too vulnerable to be tampered with, would be shielded by the Windows API - that's what I think.


So let's assume I write a simple program that does read the cache from that Registry and displays that list of programs on the screen.
I do not think that people will be able to find any judge that will tell me to stop doing that - it's simply part of Windows and without any tricks or backdoor memory-peeks, I access that information.

It may be a different story if I'm using that information for my own benefit, in the case of Blizzard, to find out whether someone is using a program that I don't like, resulting in that person to be banned from using my program. I'm not a lawyer, so I have no idea to what extend the law would be supporting me in this.


My conclusion would be, for now, that Blizzard actually _are_ reading that Registry and that they know _exactly_ who's running HB.
Effectively torpedoing the posts of all those people telling us that HB can not be detected.

Not directly by peeking into memory, that's true.. but there's a simple (legal?) way : the Windows API to access the Registry.


And to all the people telling us that "if that would be the case, we all would have been banned" : I don't think so. I am convinced that Blizzard are condoning botters to a certain extend. Mind you, it's a lot of subscription-$$ we're talking about and the WOW economy kind of relies on gatherers to fill the AH. The AH would absolutely be totally different without botters providing all those badly needed materials and items. We've seen cases of people moving to another realm, just because the AH is terrible.

The relatively large number of bans we have seen lately, is just a scheduled campaign, mainly to show the (complaining) not-botting world that Blizzard actually are doing something about it.

So indeed, if Blizzard would really want to ban each and every botter from the game, they will be very well capable of doing so - at any time, just by pressing a button.

 

No, except for HKLM\Security, Windows UAC is quite useless when Running on Admin Privileges

msdn on registry in .net
Registry.GetValue Method (Microsoft.Win32)
RegistryKey.GetValue Method (Microsoft.Win32)

There is a Privacy Policy and a clear Law in EU (at least, no clue what it is in US), i don't think they they wanna fuzz with this, even the CEO can be liable for such business practices

cheers

/EDIT:
I think ProcessMonitor shows you the exact Path of Regsitry Variables/Keys used by a Process, or even a Thread:
Process Monitor
(Don't blame me pls if i'm wrong )

 

Your conclusion is wrong. You can monitor exactly what wow. exe is reading or writing in the registry or in the file system. Sysinternals and other companies have many tools, not only process monitors, to observe the system e.g you can monitor the ram to see, which parts are altered by the process, which parts it tries to read, you can monitor if wow.exe or anything it started tries to read data from another different process like hb.exe or so.

And before you say, well perhaps Blizzard has so talented programmers that they can hide the scanning process, than no again. That would mean to alter os system files which is illegal. Just one company tried that. Sony with it's copyprotection rootkit and they got kicked in the ass by Microsoft in a law suit.

Computers and programming isn't magic, perhaps you played to much Wow.

 

Thanks for your input - appreciating everyone's view and opinion on this.

Don't misunderstand me, I'm not posting this to prove my personal point - just trying to put the finger on where the "pain" might be.

Ok, I understand that it's possible to find out exactly which object any program is accessing.


But why should Blizzard even try to hide a read action on this particular part of the Windows Registry?
My point is - and I haven't seen an answer to that yet - that when I write a program that does the same thing (reading the muicache key from the Registry), I will be sued .. by whom?
Not by Microsoft, because they provide me the API even to access that thing.

I decided to follow up on MKAY's tip :
I downloaded the Systinternals Suite and ran the Process Explorer.
Started WOW, went to the Process in the second pane on my screen (see attachment).


Again, I'm not hunting anything down and definitely not HB ..
But so far, we all have been "guessing" and one is better in that than others, but I simply can't accept a statement from an HB-dev that "Honorbuddy can not be detected".

No, not from memory-peeks or whatever backdoor tricks there are available, because that would be against the law(?).

But a simple API call to existing and freely accessible information within my OS reveals just as much.
If not even more interesting things...


Lastly, referring to your last remark : because I'm not a Windows developer, doesn't mean I'm a total nitwit. Not going to elaborate, but I'm from the good-old Banking-IT generation, where mainframes still only understood assembler. Just not much into that totally-over-the-top-resources-wasting OS as Windows appears to be. <-- notice the smiley - no offence here and none taken

Check out the attachment - right-click on the key entry within the Process pane .. no magic involved ..

 

yeah, sure u see the muicache for wow, cause wow.exe is put into the muicache itself

 

Perhaps you're right, perhaps not ..
How sure are you that wow.exe doesn't see that info?

After all, this is _inside_ the wow.exe process itself, not from within the Windows OS.
Or is it?

 

i'm pretty sure it can, our could, /see/ the info, but does not use this info (privacy policy stuff)
the screenshot u posted does not show who accsessed this value, nor it shows if it is a read or write.
the only thing i see is your user guid in the title (\REGISTRY\USERS\1-*) and the called key, no further info on this according to your screen.

will check it out myself and get some msdn info on who raises the mui cache event to whom.

 

http://www.thebuddyforum.com/demonbuddy-forum/67048-db-security-improvements-2.html#post688015

Nothing more to say.

 

thanks buzzbeater, read this some time ago and lost the ref
i also just traced my wow-64.exe
it did not access the [...]\shell\MuiCache at any Time

however it does access some muicaches:
Desktop\ControlPanel\MuiCache\MachineLanguageConfiguration << stands for itself
Desktop\MuiCached\MachinePreferedUILanguages << same

i did not find any more muicache accesses for the wow-64.exe process itself.
if something accesses the shells muicache it's not wow

cheers

 

I simply don't have enough in-depth knowledge of Windows to gauge the significance of the cache entry I attached to my earlier post - but I do know what I saw and that print came from my wow session (I'm not using wow-64 btw, but I suppose that shouldn't make any difference in this case).

At least you gave me a profound second opinion
Many thanks for that ..